#!/usr/bin/perl use strict; use warnings; # === auth-command === # the command that GL users actually run # part of the gitolite (GL) suite # how run: via sshd, being listed in "command=" in ssh authkeys # when: every login by a GL user # input: $1 is GL username, plus $SSH_ORIGINAL_COMMAND # output: # security: # - currently, we just make some basic checks, copied from gitosis # robustness: # other notes: # ---------------------------------------------------------------------------- # common definitions # ---------------------------------------------------------------------------- # these are set by the "rc" file our ($GL_LOGT, $GL_CONF_COMPILED, $REPO_BASE, $GIT_PATH, $REPO_UMASK, $GL_ADMINDIR, $RSYNC_BASE, $HTPASSWD_FILE, $GL_WILDREPOS); # and these are set by gitolite.pm our ($R_COMMANDS, $W_COMMANDS, $REPONAME_PATT, $REPOPATT_PATT); our %repos; # the common setup module is in the same directory as this running program is my $bindir = $0; $bindir =~ s/\/[^\/]+$//; $bindir = "$ENV{PWD}/$bindir" unless $bindir =~ /^\//; require "$bindir/gitolite.pm"; # ask where the rc file is, get it, and "do" it &where_is_rc(); die "parse $ENV{GL_RC} failed: " . ($! or $@) unless do $ENV{GL_RC}; # we need to pass GL_ADMINDIR and the bindir to the child hooks $ENV{GL_ADMINDIR} = $GL_ADMINDIR; $ENV{GL_BINDIR} = $bindir; # add a custom path for git binaries, if specified $ENV{PATH} .= ":$GIT_PATH" if $GIT_PATH; # set the umask before creating any files umask($REPO_UMASK); my $repo_base_abs = $ENV{GL_REPO_BASE_ABS} = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" ); # ---------------------------------------------------------------------------- # start... # ---------------------------------------------------------------------------- # if the first argument is a "-s", this user is allowed to get a shell using # this key my $shell_allowed = 0; if ($ARGV[0] eq '-s') { $shell_allowed = 1; shift; } # first, fix the biggest gripe I have with gitosis, a 1-line change my $user=$ENV{GL_USER}=shift; # there; now that's available everywhere! # ---------------------------------------------------------------------------- # logging, timestamp env vars # ---------------------------------------------------------------------------- # timestamp my ($s, $min, $h, $d, $m, $y) = (localtime)[0..5]; $y += 1900; $m++; # usual adjustments for ($s, $min, $h, $d, $m) { $_ = "0$_" if $_ < 10; } $ENV{GL_TS} = "$y-$m-$d.$h:$min:$s"; # substitute template parameters and set the logfile name $GL_LOGT =~ s/%y/$y/g; $GL_LOGT =~ s/%m/$m/g; $GL_LOGT =~ s/%d/$d/g; $ENV{GL_LOG} = $GL_LOGT; # ---------------------------------------------------------------------------- # sanity checks on SSH_ORIGINAL_COMMAND # ---------------------------------------------------------------------------- # no SSH_ORIGINAL_COMMAND given... unless ($ENV{SSH_ORIGINAL_COMMAND}) { # if the user is allowed to use a shell, give him one if ($shell_allowed) { my $shell = $ENV{SHELL}; $shell =~ s/.*\//-/; # change "/bin/bash" to "-bash" exec { $ENV{SHELL} } $shell; } # otherwise, pretend he typed in "info" and carry on... $ENV{SSH_ORIGINAL_COMMAND} = 'info'; } # ---------------------------------------------------------------------------- # get and set perms for actual repo created by wildcard-autoviv # ---------------------------------------------------------------------------- my $CUSTOM_COMMANDS=qr/^\s*(expand|(get|set)(perms|desc))\b/; # note that all the subs called here chdir somewhere else and do not come # back; they all blithely take advantage of the fact that processing custom # commands is sort of a dead end for normal (git) processing if ($ENV{SSH_ORIGINAL_COMMAND} =~ $CUSTOM_COMMANDS) { die "wildrepos disabled, sorry\n" unless $GL_WILDREPOS; my $cmd = $ENV{SSH_ORIGINAL_COMMAND}; my ($verb, $repo) = ($cmd =~ /^\s*(\S+)(?:\s+'?\/?(.*?)(?:\.git)?'?)?$/); # deal with "no argument" cases $verb eq 'expand' ? $repo = '^' : die "$verb needs an argument\n" unless $repo; if ($repo =~ $REPONAME_PATT and $verb =~ /getperms|setperms/) { # with an actual reponame, you can "getperms" or "setperms" get_set_perms($repo_base_abs, $repo, $verb, $user); } elsif ($repo =~ $REPONAME_PATT and $verb =~ /(get|set)desc/) { # with an actual reponame, you can "getdesc" or "setdesc" get_set_desc($repo_base_abs, $repo, $verb, $user); } elsif ($verb eq 'expand') { # with a wildcard, you can "expand" it to see what repos actually match die "$repo has invalid characters" unless "x$repo" =~ $REPOPATT_PATT; expand_wild($GL_ADMINDIR, $GL_CONF_COMPILED, $repo_base_abs, $repo, $user); } else { die "$cmd doesn't make sense to me\n"; } exit 0; } # ---------------------------------------------------------------------------- # non-git commands # ---------------------------------------------------------------------------- # if the command does NOT fit the pattern of a normal git command, send it off # somewhere else... # side notes on detecting a normal git command: the pattern we check allows # old style as well as new style ("git-subcommand arg" or "git subcommand # arg"), just like gitosis does, although I'm not sure how necessary that is. # Currently, this is how git sends across the command (including the single # quotes): # git-receive-pack 'reponame.git' my ($verb, $repo) = ($ENV{SSH_ORIGINAL_COMMAND} =~ /^\s*(git\s+\S+|\S+)\s+'\/?(.*?)(?:\.git)?'/); unless ( $verb and ( $verb =~ $R_COMMANDS or $verb =~ $W_COMMANDS ) and $repo and $repo =~ $REPONAME_PATT ) { # ok, it's not a normal git command; call the special command helper &special_cmd ($GL_ADMINDIR, $GL_CONF_COMPILED, $shell_allowed, $RSYNC_BASE, $HTPASSWD_FILE); exit; } die "$repo ends with a slash; I don't like that\n" if $repo =~ /\/$/; die "$repo has two consecutive periods; I don't like that\n" if $repo =~ /\.\./; # reponame $ENV{GL_REPO}=$repo; # ---------------------------------------------------------------------------- # the real git commands (git-receive-pack, etc...) # ---------------------------------------------------------------------------- # ---------------------------------------------------------------------------- # first level permissions check # ---------------------------------------------------------------------------- if ( -d "$repo_base_abs/$repo.git" ) { # existing repo my ($creater, $user_R, $user_W) = &wild_repo_rights($repo_base_abs, $repo, $user); &parse_acl($GL_CONF_COMPILED, $repo, $creater, $user_R, $user_W); } else { &parse_acl($GL_CONF_COMPILED, $repo, $user, "NOBODY", "NOBODY"); # auto-vivify new repo if you have C access (and wildrepos is on) if ( $GL_WILDREPOS and $repos{$repo}{C}{$user} || $repos{$repo}{C}{'@all'} ) { wrap_chdir("$repo_base_abs"); new_repo($repo, "$GL_ADMINDIR/hooks/common", $user); wrap_chdir($ENV{HOME}); } else { # repo didn't exist, and you didn't have perms to create it. Delete # the "convenience" copy of the ACL that parse_acl makes for us delete $repos{$repo}; } } # we know the user and repo; we just need to know what perm he's trying my $perm = ($verb =~ $R_COMMANDS ? 'R' : 'W'); die "$perm access for $repo DENIED to $user\n" unless $repos{$repo}{$perm}{$user} or $repos{'@all'}{$perm}{$user} # new: access to @all repos or $repos{$repo}{$perm}{'@all'}; # ---------------------------------------------------------------------------- # over to git now # ---------------------------------------------------------------------------- &log_it("$ENV{GL_TS}\t$ENV{SSH_ORIGINAL_COMMAND}\t$user\n"); $repo = "'$REPO_BASE/$repo.git'"; exec("git", "shell", "-c", "$verb $repo");